[strongSwan] ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips

Scot Hutchinson shutchinson at oceusnetworks.com
Thu Apr 4 17:00:28 CEST 2013

I rebuilt strongswan with the CFLAGS you suggested and that resolved the issue we were seeing.


From: Tobias Brunner [tobias at strongswan.org]
Sent: Tuesday, April 02, 2013 11:50 AM
To: Scot Hutchinson
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips

Hi Scot,

> Apr  2 15:18:16 00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency: PUBKEY:ECDSA

It seems the openssl plugin was not built with ECDSA support.  Which is
strange if you used ipsec pki on the same host to create the ECDSA keys
and certificates.  The openssl plugin uses openssl/conf.h to detect
which features the OpenSSL library was built with.  Did you perhaps
build strongSwan before you reconfigured OpenSSL with ECC support?  Or
are perhaps the wrong OpenSSL header files used by strongSwan?  If so,
you might want to try adding -I/path/to/proper/openssl/headers to the
strongSwan CFLAGS.


More information about the Users mailing list